To pre-empt cybersecurity threats, today’s enterprises must have policies, processes and tools in place to not only defend against attacks but also strengthen their security posture by reducing organizational risk. Vulnerability management (VM) programs are foundational to managing cybersecurity risk, but for a variety of reasons, VM processes often stall or break down. When that happens, as it often does, the risk associated with a given vulnerability either continues to exist or is not completely eliminated. Here are eight best practices that help prevent that from happening:
- Scan hosts more frequently than networks: Network-based scanners add significant overhead as they scan through network services. They also require attention such as configuring settings, opening firewall ports and so on. Host-based scans, on the other hand, do not traverse the network; they eliminate network overhead and allow more continuous scanning.
- Scan images rather than instances: In modern cloud-native applications, most of the server instances are installed from one image. Testing the image for vulnerabilities instead of scanning the instances is yet another way that organizations can achieve continuous detection without straining network resources.
- Augment active scanning with “scanless” non-disruptive methods: Use data from existing DevOps, security and IT repositories such as patch/asset management systems to conduct scanless, rule-based profiling of potential vulnerabilities across all network nodes. When these non-disruptive, scanless results are consolidated with the results of periodic active scanning, the organization can achieve virtually real-time visibility into vulnerabilities without impacting performance. This approach can be implemented using open source tools such as osquery and QRadar.
- Use multiple factors and context-based risk assessment to prioritize remediation: A variety of external and internal sources should be correlated to better understand the severity of a specific vulnerability within the organization’s unique environment. Examples of external sources would be the CVSS score as well as threat intelligence repositories. Internal sources would be the organization’s asset management and change management systems to understand the business criticality and security posture of the assets threatened by the vulnerability.
- Maintain a single source of truth for all relevant teams: Enterprises typically have multiple teams working on vulnerability remediation. For example, the security team is charged with the responsibility for vulnerability detection, but it is the IT or DevOps team that is expected to remediate. Effective collaboration is essential to create a closed detection-remediation loop. Each team usually has specialized stacks of databases, processes and tools that can and should be tightly integrated into a centralized vulnerability management platform with the capacity to orchestrate remediation, so that they share a single source of truth. This best practice can be implemented in-house or it can be achieved through third-party solutions.
- It’s not all about patching: Vulnerability remediation must take shape in a reality where patches are not the only solution. Other remediation approaches include configuration management and compensating controls, such as shutting down a process, session or module. The optimal remediation method—or combination of methods—will differ from vulnerability to vulnerability. To achieve this best practice, it is important to maintain a knowledge base of how to match the best remediation solution to a vulnerability, based on the organization’s cumulative vulnerability management experience. It is also possible to take advantage of third-party knowledge bases that rely on very large data sets.
- Use remediation playbooks: To match the scalability and velocity of today’s threat environment, vulnerability remediation must be as automated as possible. One highly effective way to achieve such automation is to create predefined playbooks that are tailored to the organization’s environment. Here’s an example of a simple playbook scenario:
- Use vulnerability management metrics that improve and fine-tune detection, prioritization and remediation processes: Purely quantitative metrics such as a vulnerability count, average CVSS scores of detected vulnerabilities, number of scans run or vendor-based criticality do not provide meaningful insight into the effectiveness of your vulnerability management efforts. As discussed in more detail in this blog on vulnerability metrics, the more meaningful metrics are qualitative—such as coverage, vulnerability dwell time, the average number of vulnerabilities per asset over time and to what extent SLAs are being met. Make it a cross-enterprise objective to improve the vulnerability remediation metrics that have a real impact on your organization’s KPIs.
As is par for the course in cybersecurity, when it comes to vulnerability management, there are no silver bullets. But applying these best practices will help expedite remediation.